view dbdot-17-03-001_word version_as_amended - ohio web viewcentric consulting llc. ... include...

NOTICEThis opportunity is being released to DBITS Contractors pre-qualified as a result of Open Market RFP #0A1147.

ONLY Contractors pre-qualified in the Applications Development and Maintenance Transition Planning Category are eligible to submit proposal responses AND to submit inquiries. The State does not intend to respond to inquiries or to accept proposals submitted by organizations not pre-qualified in this Technology Category.

An alphabetical listing of Contractors pre-qualified to participate in this opportunity follows:

Accenture McGladrey LLPAdvocate Consulting Group MGT of America, Inc.

Advocate Solutions LLC Navigator Management Partners LLCArdent Technologies Peerless TechnologiesCapTech Ventures Persistent Systems

Cardinal Solutions Group Planet TechnologiesCareworks Tech Prelude System

CDI Corp Quantrum LLCCentric Consulting LLC Quantrum LLC

CGI Technologies and Solutions, Inc. Quick SolutionsCMA Consulting Services R. Dorsey & Company

Computer Aid, Inc. Sense CorpCrowe Horwath LLP Sogeti USA, LLC

Data Transfer Solutions Sondhi SolutionsData-Core Systems, Inc. System Soft Technologies

enfoTech System Soft TechnologiesHalcyon Systems Technology Group, Inc.

HMB, Inc. TCC Software SolutionsIBM Team Ray Technologies, LLC

IIT Contacts TEK SystemsInfojini Teranomic

Information Control Company The Greentree GroupJMT Technology Group Truven Health Analytics

Kunz, Leigh & Associates Unicon International. Inc.Lochbridge Vertex

Mapsys Systems & Solutions Windsor SolutionsMAXIMUS Human Services, Inc. XLN Systems

E N T E R P R I S E I T C O N T R A C T I N G | D B I T S S O W S o l i c i t a t i o n 1

Statement of Work Solicitation State of OhioDepartment of TransportationOfficer Crash MappingProject Statement of Work

DBITS Solicitation ID No.Solicitation Release Date

DBDOT-17-03-001 03-15-17

Section 1: Purpose

The purpose of this Project Statement of Work (SOW) is to provide The Ohio Department of Transportation with information technology services in the Applications Development and Maintenance Transition Planning Category, a qualified Contractor, herein after referred to as the “Contractor”, shall furnish the necessary personnel, equipment, material and/or services and otherwise do all things necessary for or incidental to the performance of work set forth in Section 3, Scope of Work.

Table of ContentsSection 1: PurposeSection 2: Background InformationSection 3: Scope of WorkSection 4: Deliverables ManagementSection 5: SOW Response Submission RequirementsSection 6: SOW Evaluation CriteriaSection 7: SOW Solicitation Calendar of EventsSection 8: Inquiry ProcessSection 9: Submission Instructions & LocationSection 10: Limitation of LiabilitySupplement 1: Security and PrivacySupplement 2: OH-1 Crash form

TimelineSOW Solicitation Release to Pre-Qualified: March 15, 2017Inquiry Period Begins: March 15, 2017Inquiry Period Ends: April 3, 2017Proposal Response Due Date: April 14, 2017 at 1:00 p.m.

(Columbus, Ohio local time)

Section 2: Background Information

2.1 Agency Information

Agency Name Ohio Department of Transportation (ODOT) Highway Safety Program

Contact Name Derek Troyer – Highway Safety Program Contact Phone (614) 387-5164

Bill to Address Derek A. Troyer, P.E.


Highway Safety Program - Safety Engineer

Ohio Department of Transportation

1980 West Broad Street

Columbus, OH 43223

2.2 Project Information

Project Name Officer Crash Mapping Application

Project Background & Objective

The Officer Crash Mapping Application project involves the establishment of a new application for the ODOT Highway Safety Program and the Ohio Department of Public Safety (ODPS). The application will be installed on Ohio Highway Patrol cruiser laptops along with other law enforcement agencies. The application will gather crash location information and will auto-populate 17 fields on the OH-1 Crash form (Supplement Two) on the laptop via an interface. The information will then be processed and distributed to ODPS and ODOT for reporting and analysis purposes as is the current process today.

Currently, the officers complete crash information on the OH-1 Form, using the OTIS (Ohio Trooper Information System – a part of OLEIS - Ohio Law Enforcement Information Sharing Portal) application on cruiser laptops, using a variety of manual methods to determine the location including referencing intersections, landmarks, and mile markers. These methods result in inconsistent and inaccurate crash location information due to estimating reference distances or ambiguous reference information.

The following table lists the required data fields for the new application. These fields are from the OH-1 Crash Report form. The application user will have the capability and option of populating these data fields automatically or manually.

Field Name Source Table

County Code Crash

City, Village, Township Code Crash

City, Village, Township Name Crash

Latitude/Longitude – Decimal Degrees

Crash

Location Route Type Crash


Location Route Number Crash

Location Prefix (N,S,E,W) Crash

Location Road Name Crash

Location Road Type Crash

Distance from Reference (miles, feet, yards)

Crash

Direction from Reference (N,S,E,W)

Crash

Reference Route Type Crash

Reference Route Number Crash

Reference Prefix (N,S,E,W) Crash

Reference Name (Road, Milepost, House #)

Crash

Reference Road Type Crash

Reference Point Used Crash

Log Point (this is not on the crash report but it will be stored behind the scenes from the roadway inventory)

Crash

NLF_ID (this is not on the crash report but it will be stored behind the scenes from the roadway inventory)

Crash

Background

The Highway Safety program is administered by the Ohio Department of Transportation (ODOT) and emphasizes safety in all phases of highway development by identifying and studying safety problems, developing solutions, establishing priorities, implementing countermeasures and evaluating improvements on any public roadway.

ODOT has established the Highway Safety Program to create a process which emphasizes the safety of the traveling public by analyzing the crash statistics on Ohio’s state and local highway


system. The Department utilizes the Highway Safety Program system to identify intersections and highway sections with a high frequency or rate of crashes.

Business Need

The document used to record crash data is the Ohio Department of Public Safety Traffic Crash Report, commonly referred to as the OH-1 Form. Crash information is recorded on the OH-1 Form by the Ohio State Highway Patrol, and other law enforcement agency officers from county, city, township and village municipalities. Various methods are used to determine the location of a crash, including referencing intersections, address, and mile markers. Once a crash location is determined using one of these methods, approximately 17 other key location data fields are manually filled in. The key to prioritizing safety initiatives is knowing the crash location.

This method results in the collection of inconsistent and inaccurate crash location information, due to estimating reference distances or ambiguous reference information. Additionally, a large amount of effort is required to manually correct the inaccurate location information, downline, before it can be used by other systems, identify safety priority locations and develop improvement countermeasures.

Currently, the Highway Safety Program uses crash data from across the state of Ohio in the following ways:

Populates GIS Crash Analysis Application (GCAT) – users can search crash data via the GCAT application based on location. GCAT is used by ODOT, other government agencies, and consultants that perform safety related work.

Populates Highway Safety Improvement Program (HSIP) – Districts, County, City, Township, and Village law enforcement agencies use HSIP to submit crash data and crash diagrams.

Safety Priority Lists – ODOT Districts study and rank priority locations based on crash data and the potential to improve safety at those crash locations.

Systematic Safety - ODOT installs low cost safety countermeasures across the state. These countermeasures cover a large majority of the roadway network. The locations are prioritized based on crash data.

Besides the Ohio State Highway Patrol, there are approximately 170 other law enforcement agencies who submit crash reports using the Ohio Law Enforcement Information System (OLEIS)/OTIS program. Additionally, there are another approximately 190 agencies using a non-OLEIS/OTIS software solution. The volume of reports that are submitted in electronic format is currently around 60% of the total reports submitted.

This new application will improve the crash location process by obtaining better information from the source or officer. The application will reduce the reliance on the time consuming manual internal processing of crash data to identify the location of the crash.


Business Opportunity

The proposed Officer Crash Mapping Application (OCM) will be a Standalone application that will integrate with OTIS and other crash reporting applications used by agencies. It is intended to be used by the Ohio Highway Patrol and other law enforcement agencies in the field and in law enforcement office locations. The crash mapping tool will be placed on the MCT (Mobile Computer Terminal) laptops.

Business Objectives

The purpose of the project is to create a new application to integrate with OTIS that will:

Enable law enforcement officers to populate 17 primary location-based fields on the OH1 Form automatically.

Populate the key fields more efficiently and accurately. Provide the ODOT Highway Safety team with reliable crash data. Create a consistent method for locating crashes. Improve final safety analysis results.

Key Tasks/Requirements

The system must provide a user interface that can be launched from the existing Crash Reporting Applications (OTIS) used by ODPS and OSHP. It must also be compatible to other law enforcement crash reporting applications.

The system must be capable of using GPS technology (if available) to find the current location of a law enforcement vehicle to pull the lat/long from the onboard GPS or provide a map for a user to manually click their location.

The system must be capable of providing/displaying aerial imagery. The system must use/contain the tile package base-layer map of the state of Ohio. The system must be capable of displaying Ohio State Patrol districts and Ohio counties. The system must be able to populate 19 fields (17 from the report, but recording 19

fields) of data related to the location via an interface to the OTIS system.

Project Benefits

For Law Enforcement Agencies:

A) Reduce the amount of time that is spent filling out crash reports.1) More time can be dedicated to other duties.2) Reduction in secondary crashes with less time being spent on the side of the road.

B) Will greatly improve location information. This will be beneficial when law enforcement agencies need to focus enforcement in certain areas.

For ODPS:

A) Less data edits/checks and less time spent informing agencies of submission errors.1) There are current checks that verify the lat/long location was correctly recorded.


B) Will produce further incentives for agencies to upgrade to electronic reporting if they have not already. The OLEIS system is free and available for agencies to use. Electronic data is timelier and has less chance of errors than hand written reports.

C) Easier to query data with more consistent results.

For ODOT:

A) More accurate and consistent location information in the ODOT database, which is used for:

a. Highway Safety Programi. District Safety Studies from Annual Priority lists

ii. Crash Site Analysesiii. Statewide Crash Ratesiv. Construction Work Zone Safetyv. Safe Routes to School

vi. County Surface Transportation Program (CEAO)vii. Township Signage Program

viii. Crash Reduction Factorsix. Multi-State Highway Information Systems (HSIS)

b. Other ODOT office usesi. Signalization Warrants

ii. Speed Studiesiii. Snow/Ice Maintenance Analysesiv. Incident Management

B) Easier and more accurate to query and map data.C) Less time spent on cleaning up data and hand logging crashesD) Less time spent on programming data cleanup.

Public Requests

More consistency statewide from law enforcement, ODOT, and ODPS when public requests ask for crash information.

Regulatory - Federal

ODOT can provide more accurate information to the federal government by using the OCM Application data to populate the Federal Highway Safety Improvement Program Annual Report.

Assists with MAP-21, a statute that requires a state have in place a safety data system to perform safety problem identification and countermeasure analysis.

2.3 Project Schedule


Expected Project Duration

The selected Contractor will be notified by ODOT when work may begin. The estimated start date for this project is late May 2017. This project is expected to be completed within twelve (12) months after the project start date.

2.4 Project Milestones

Date Milestone

Kickoff Meeting

Completion of Discovery / Requirements

Completion and delivery of Wire Frames / Designs

Completion and delivery of Construction elements

Completion of all Testing

Signoff on Application Testing results

Beta Deployment

2.5 Contractor’s Work Effort RequirementThe Contractor’s full-time regular employees must perform at least 30% of the effort required to complete the Work. The Contractor may use its personnel or subcontractor personnel to meet the remaining 70% of the effort.

2.6 Ohio Certified MBE Set-Aside Requirement None

Section 3: Scope of Work

3.1 Description of Scope of Work

Automate data entry for approximately 19 key fields from the OH1 Form based on found location.

Data points to include address, intersection and milepost

Interface from OCM app to OTIS OH1 form on laptop

Able to display Aerial Imagery stored on laptop

Document Technical Software Architecture Diagram

Follow OGRIP (Ohio Geographically Referenced Information Program)/MCT (Mobile Computer Terminals) Refresh Schedule for Road Inventory and Imagery

Beta Deployment /Installation Plan and Installation Documentation

Product Support Plan


Section 3: Scope of Work

3.2 Assumptions and ConstraintsDescribe applicable assumptions and constraints on the project scope, schedule, resources, or budget.

Assumptions The vendor has staff with GIS knowledge and development experience.

The vendor provides technical resources that have experience developing GIS applications that integrate with other applications.

The new application will be a standalone system and will integrate with OTIS on the MCT laptop.

The Highway Safety Program and the Ohio Department of Public Safety are joint stakeholders in this project/implementation.

In-scope requirements will be defined in the approved Business Requirements Specification (BRS) document.

Constraints Application size limit of 10 GB

Use of SQLExpress for application

Patrol Laptop specifications

App should be able to work with or without GPS

3.3 Detailed Description of Deliverables Deliverables must be provided on the dates specified (once defined). Any changes to the delivery date must have prior approval (in

writing) by the Agency contract manager or designee. All deliverables must be submitted in a format approved by the Agency’s contract manager. All deliverables must have acceptance criteria established and a time period for testing or acceptance. If the deliverable cannot be provided within the scheduled time frame, the Contractor is required to contact the Agency contract

manager in writing with a reason for the delay and the proposed revised schedule. The request for a revised schedule must include the impact on related tasks and the overall project.

A request for a revised schedule must be reviewed and approved by the Agency contract manager before placed in effect. The Agency will complete a review of each submitted deliverable within specified 5 working days of the date of receipt. A kickoff

meeting will be held at a location and time selected by the Agency where the Contractor and its staff will be introduced to the Agency.

Deliverable Name Deliverable Description

Detailed Project Plan & Schedule Provide a detailed project plan and schedule of activities to complete the application.

Weekly Status Reports Provide weekly status report of activities for the current week and plans for the next week.



Detailed Requirements document Provide a detailed requirements document to ensure all functionality has been included

Detailed Wire Frames Provide detailed mock ups / designs of screens for the application

Software Architecture Diagram (SAD) Provide a diagram of the architecture of the application

Delivery of Construction elements via bi-weekly sprints Demonstrate developed working code during bi-weekly sprint reviews

Completion of system testing / signoff Provide documented results of testing including bugs and resolutions

Completion of UAT testing / signoff Agency

Train-the-Trainer to ODOT / ODPS teams Provide train-the-trainer sessions for ODOT and ODPS project teams

Beta Deployment plan Develop a detailed beta deployment plan for ODPS

Beta Deployment Lead and supervise technical deployments to beta sites

Product support plan / Maintenance Develop a detailed product support plan for the application post deployment and provide maintenance services as needed

Deliverable Name Due Date (If applicable)

Payment Eligible?Yes/No

Acceptance Criteria

DISCOVERY PHASE:

Detailed Project Plan & Schedule

No Approval from ODOT/ODPS project managers and ODOT Sponsor

Throughout Project:

Weekly Status Reports

No Approval from ODOT/ODPS project managers and ODOT Sponsor

DISCOVERY PHASE:

Detailed Requirements document

No Approval from the ODOT BA, ODOT Sponsor, ODPS Lead

DISCOVERY PHASE:

Detailed Wire Frames

No Approval from the ODOT Sponsor and ODPS Sponsor

DISCOVERY PHASE:

Software Architecture Diagram (SAD)

No Approval of the ODPS Technical lead

E N T E R P R I S E I T C O N T R A C T I N G | D B I T S S O W S o l i c i t a t i o n 1 0


DEVELOPMENT PHASE:

Delivery of Development elements via bi-weekly sprints

No Approval from the ODOT Sponsor

DEVELOPMENT PHASE:

Completion of system testing / signoff

Yes – at end of development signoff

Approval from the ODOT Sponsor

TESTING PHASE:

Completion of UAT testing / signoff

Yes Approval from the ODOT Sponsor

TRAINING PHASE:

Train-the-Trainer to ODOT / ODPS teams


DEPLOYMENT PHASE:

Beta Deployment plan


DEPLOYMENT PHASE:

Beta Deployment

Yes Approval from the ODOT Sponsor and ODPS Sponsor

POST DEPLOYMENT SUPPORT / MAINTENANCE PHASE:

Product support plan (Beta Production Release)

Yes Approval from the ODOT Sponsor and ODPS Sponsor

3.5 Roles and Responsibilities

Describe roles and responsibilities of the State agency and Contractor.

Project or Management Activity/Responsibility Description Contractor Agency

Project Schedule and Deliverables X

Overall Project Status Reports X

3.6 Restrictions on Data Location and Work The Contractor must perform all work specified in the SOW Solicitation and keep all State data within the United States, and the State

may reject any SOW Response that proposes to do any work or make State data available outside the United States. The Contractor will comply with all state and federal laws regarding equal employment opportunity and fair labor and employment

practices, including Ohio Revised Code Section 125.111 and all related Executive Orders.

3.7 Resource Requirements

The Contractor will be provided with an MCT laptop with OTIS Installed.

Section 4: Deliverables Management



4.1 Submission/Format

Describe project management artifacts and work product deliverable submission/format requirements.

PM Artifact/Project Work Product Submission Format

Project Plan & Schedule Via email Microsoft Project compatible format

Status Reports Via email Microsoft Office compatible

All Project documents are to be delivered electronically

Via email, as required Microsoft Office compatible

4.2 Reports and Meetings The Contractor will be responsible for conducting weekly status meetings with the Agency contract manager and the ODPS/ODOT

team. The meetings will be held on a day to be decided at a time and place so designated by the Agency contract manager – unless revised by the Agency contract manager. The meetings can be in person or over the phone at the discretion of the Agency contract manager.

The Contractor will be responsible for conducting Sprint Review meetings every two weeks on a day to be defined. During the Sprint Review, working coding developed in the previous two weeks will be shown for Agency feedback.

4.3 Period of Performance

The project is to be completed within twelve (12) months of the Kickoff Meeting. Performance is based on delivery and acceptance of each deliverable.

4.4 Performance ExpectationsThe Vendor will support the ODPS/ODOT IT Department following deployment as follows:

Support: The process of resolving software conflicts and usability problems, day to day issues that come in the application, and in supplying updates and patches for bugs and security holes in the program, documenting any changes in the source code.

Maintenance: The process of supporting the application and/or component after delivery to correct defects, maintain performance and/or maintain compatibility with other elements in the technical environment to ultimately ensure the existing system and/or business functionality continues to operate as already designed. The maintenance of the application and/or component is not constrained by the time and/or size of the effort.

The vendor shall provide communication for all functions via telephone, email, and internet support.

This section sets forth the performance specifications for the Service Level Agreements (SLA) to be established between the Contractor and State. Most individual service levels are linked to “Fee at Risk” due to the State to incent Contractor performance.

The Service Levels contained herein are Service Levels for this SOW Solicitation. Both the State and the Contractor recognize and agree that Service Levels and performance specifications may be added or adjusted by mutual agreement during the term of the Contract as business, organizational objectives and technological changes permit or require.



The Contractor agrees that 10% of the not to exceed fixed price for the SOW will be at risk (“Fee at Risk”). The Fee at Risk will be calculated as follows:

Total Not to Exceed Fixed Price (NTEFP) of the SOW x 10 % = Total Fee at Risk for the

SOW

Furthermore, in order to apply the Fee at Risk, the following monthly calculation will be used:

Monthly Fee At Risk =Total Fee at Risk for the SOW

Term of the SOW in months

The Contractor will be assessed for each SLA failure and the “Performance Credit” shall not exceed the monthly Fee at Risk for that period. The Performance Credit is the amount due to the State for the failure of SLAs. For SLAs measured on a quarterly basis, the monthly fee at risk applies and is cumulative.

On a quarterly basis, there will be a “true-up” at which time the total amount of the Performance Credit will be calculated (the “Net Amount”), and such Net Amount may be off set against any fees owed by the State to the Contractor, unless the State requests a payment in the amount of the Performance Credit.

The Contractor will not be liable for any failed SLA caused by circumstances beyond its control, and that could not be avoided or mitigated through the exercise of prudence and ordinary care, provided that the Contractor promptly, notifies the State in writing and takes all steps necessary to minimize the effect of such circumstances and resumes its performance of the Services in accordance with the SLAs as soon as reasonably possible.

To further clarify, the Performance Credits available to the State will not constitute the State’s exclusive remedy to resolving issues related to the Contractor’s performance. In addition, if the Contractor fails multiple service levels during a reporting period or demonstrates a pattern of failing a specific service level throughout the SOW, then the Contractor may be required, at the State’s discretion, to implement a State-approved corrective action plan to address the failed performance.

SLAs will commence when the SOW is initiated.

Monthly Service Level Report. On a monthly basis, the Contractor must provide a written report (the “Monthly Service Level Report”) to the State which includes the following information:

Identification and description of each failed SLA caused by circumstances beyond the Contractor’s control and that could not be avoided or mitigated through the exercise of prudence and ordinary care during the applicable month;

The Contractor’s quantitative performance for each SLA;

The amount of any monthly performance credit for each SLA;

The year-to-date total performance credit balance for each SLA and all the SLAs;

Upon state request, a “Root-Cause Analysis” and corrective action plan with respect to any SLA where the Individual SLA failed during the preceding month; and

Trend or statistical analysis with respect to each SLA as requested by the State.

The Monthly Service Level Report will be due no later than the tenth (10th) day of the following month.



SLA Name Performance EvaluatedNon-Conformance Remedy

Frequency of Measurement

Delivery Date Service Level The Delivery Date Service Level will measure the percentage of SOW tasks, activities, deliverables, milestones and events assigned specific completion dates in the applicable SOW and/or SOW project plan that are achieved on time. The State and the Contractor will agree to a project plan at the commencement of the SOW and the Contractor will maintain the project plan as agreed to throughout the life of the SOW. The parties may agree to re-baseline the project plan throughout the life of the SOW. Due to the overlapping nature of tasks, activities, deliverables, milestones and events a measurement period of one calendar month will be established to serve as the basis for the measurement window. The Contractor will count all tasks, activities, deliverables, milestones and events to be completed during the measurement window and their corresponding delivery dates in the applicable SOW and/or SOW project plan. This service level will commence upon SOW initiation and will prevail until SOW completion.

Compliance with delivery date isexpected to be greater than 85%

This SLA is calculated as follows: “% Compliance with delivery dates” equals “(Total dates in period – Total dates missed)” divided by “Total dates in period”

Fee at Risk Monthly

Deliverable Acceptance Service Level

The Deliverable Acceptance Service Level will measure the State’s ability to accept Contractor deliverables based on submitted quality and in keeping with defined and approved content and criteria for Contractor deliverables in accordance with the terms of the Contract and the applicable SOW. The Contractor must provide deliverables to the State in keeping with agreed levels of completeness, content quality, content topic coverage and otherwise achieve the agreed purpose of the deliverable between the State and the Contractor in accordance with the Contract and the applicable SOW. Upon mutual

Fee at Risk Monthly



agreement, the service level will be calculated / measured in the period due, not in the period submitted. Consideration will be given to deliverables submitted that span multiple measurement periods. The measurement period is a quarter of a year. The first quarterly measurement period will commence on the first day of the first full calendar month of the Contract, and successive quarterly measurement period will run continuously thereafter until the expiration of the applicable SOW.

Compliance with deliverable acceptance is expected to be greater than 85%

This SLA is calculated as follows: “% Deliverable Acceptance” equals “# Deliverables accepted during period” divided by “# Deliverables submitted for review/acceptance by the State during the period”

Scheduled Reports Service Level

The Scheduled Reports Service Level will measure the receipt of Reports within SLA schedule or other established time frames.

Compliance with deliverable acceptance is expected to be greater than 85%

This SLA is calculated as follows: “Scheduled Reporting Performance” equals “(Total Number of Reports Required – Total Reports Missed/Missing)” divided by “Total Number of Reports Required”

Fee at Risk Monthly

System Test Execution Exit Quality Rate

The System Test Execution Exit Quality Rate will, prior to UAT, be determined using the results of Contractor generated pre-test strategy, executed testing cases including functionality, performance, integration, interfaces, operational suitability and other test coverage items comprising a thorough Contractor executed system testing effort. Regression Testing must be performed as necessary. “System Test Execution Exit Quality Rate” means the inventory of all test cases performed in conjunction with Contractor system testing, or testing otherwise preceding the State’s User Acceptance Testing efforts, presentation of resultant test performance inclusive of identified errors or issues (by priority), impact areas and overall testing results to the State otherwise

Fee at Risk Monthly



referred to as “Testing Results”.

This Service Level begins upon Contractor presentation of the aforementioned Testing Results to the State prior to the State conducting UAT. The initial service level shown for this SLA will be 90.0%, exclusive of Critical and High defects (which must be resolved prior to presentation to the State) and will be validated during an initial measurement period. The initial and subsequent measurement periods will be as mutually agreed by the Parties. Following the initial measurement period, and as a result of any production use the Service Level will be adjusted to 95%.

Compliance with the System Test ExecutionExit Quality Rate is expected to be greater

than or equal to 90% prior to UAT and greater than or equal to 95% in production

This SLA is calculated as follows: “System Test Quality/Exit Rate” equals “Total Test Cases Passing Contractor System Test Efforts” divided by “Total Executed during System Testing Effort”

Mean Time to Repair/Resolve Critical Service Level

The Mean Time to Repair/Resolve Critical Service Level will be calculated by determining time (stated in hours and minutes) representing the statistical mean for all in-scope Critical Defect service requests in the Contract Month. “Time to Repair” is measured from time a Defect is received by the Contractor to point in time when the Defect is resolved by the Contractor and the Contractor submits the repair to the State for confirmation of resolution. “Critical Defect Service Request” affects critical functionality or critical data. No work-around exists.

Mean Time to Repair/Resolve pre-implementation Critical Defects is expected to be

less than or equal to 24 hours** In lieu of any specifically stated SLA determined by the project sponsor, the default requirement shall apply.

Mean Time to Repair/Resolve post-implementation Critical Defects is expected to be

less than or equal to 24 hoursThis SLA is calculated as follows: “Mean Time to Repair/Resolve (Critical Defects)” equals “Total

Fee at Risk Monthly



elapsed time it takes to repair Critical Defect Service Requests” divided by “Total Critical Defect Service Requests”

Mean Time to Repair/Resolve High Service Level

The Mean Time to Repair/Resolve High Service Level will be calculated by determining time (stated in hours and minutes) representing the statistical mean for all in-scope High Defect service requests in the Contract Month. “Time to Repair” is measured from time a Defect is received by the Contractor to point in time when the Defect is resolved by the Contractor and the Contractor submits the repair to the State for confirmation of resolution. “High Defect Service Request” affects critical functionality, but there is a temporary work-around however it is difficult to implement.

Mean Time to Repair/Resolve pre-implementation High Defects is expected to be

less than or equal to 72 hoursMean Time to Repair/Resolve post-

implementation High Defects is expected to be less than or equal to 72 hours

This SLA is calculated as follows: “Mean Time to Repair/Resolve (High Defects)” equals “Total elapsed time it takes to repair High Defect Service Requests” divided by “Total High Defect Service Requests”

Fee at Risk Monthly

Mean Time to Repair Medium Service Level

The Mean Time to Repair Medium Service Level will be calculated by determining time (stated in hours and minutes) representing the statistical mean for all in-scope Medium Defect service requests in the Contract Month. “Time to Repair” is measured from time a Defect is received by the Contractor to point in time when the Defect is resolved by the Contractor and the Contractor submits the repair to the State for confirmation of resolution. “Medium Defect Service Request” affects minor functionality or non-critical data. There is an easy, temporary work-around.

Mean Time to Repair/Resolve pre-implementation Medium Defects is expected to

be less than or equal to 7 calendar daysMean Time to Repair/Resolve post-

implementation Medium Defects is expected to

Fee at Risk Monthly



be less than or equal to 7 calendar daysThis SLA is calculated as follows: “Mean Time to Repair/Resolve (Medium Defects)”” equals “Total elapsed time it takes to repair medium Defect Service Requests” divided by “Total Medium Defect Service Requests”

4.5 State Staffing Plan

Staff/Stakeholder Name Project Role Percent Allocated

Jackie Trexel ODOT Project Manager 20%

John Seiler ODPS Technical Lead / OTIS 10%

Derek TroyerODOT Highway Safety Program Business Lead 20%

Mike McNeillODOT Highway Safety Program/ Contract Manager 20%

Maury Meredith ODOT Business Analyst 10%

Jasmine Ramaradjou ODPS Project Manager 10%

Section 5: SOW Response Submission Requirements

Response Format, Content Requirements

An identifiable tab sheet must precede each section of a Proposal, and each Proposal must follow the format outlined below. All pages, except pre-printed technical inserts, must be sequentially numbered.

Each Proposal must contain the following:

Cover Letter Pre-Qualified Contractor Experience Requirements Subcontractors Documentation Assumptions Payment Address Staffing plan, personnel resumes, time commitment, organizational chart Project Plan Project Schedule (WBS using MS Project or compatible) Communication Plan Fee Structure including Estimated Work Effort for each Task/Deliverable Rate Card

Include the following:


5.1 Cover Letter:

a. Must be in the form of a standard business letter;

b. Must be signed by an individual authorized to legally bind the Pre-Qualified Contractor;

c. Must include a statement regarding the Pre-Qualified Contractor’s legal structure (e.g. an Ohio corporation), Federal tax identification number, and principal place of business; please list any Ohio locations or branches;

d. Must include a list of the people who prepared the Proposal, including their titles; and

e. Must include the name, address, e-mail, phone number, and fax number of a contact person who has the authority to answer questions regarding the Proposal.

5.2 Pre-Qualified Contractors Experience Requirements

a. Each proposal must include a brief executive summary of the services the Pre-Qualified Contractor proposes to provide and one representative sample of previously completed projects as it relates to this proposal (e.g. detailed requirements documents, analysis);

b. Each proposal must describe the Pre-Qualified Contractor’s experience, capability, and capacity to provide Application Development and optional Solicitation Assistance. Provide specific detailed information demonstrating experience similar in nature to the type of work described in this SOW for each of the resources identified in Section 5.2.

c. Mandatory Requirements: The Pre-Qualified Contractor **or Subcontractor **must demonstrate they possess knowledge of the following:

The Pre-Qualified Contractor **Must** must have performed similar work for at least 2 projects within the past 5 years and must demonstrate that they meet this requirement by including a list of at least three references from current or past customers. The list must contain current contact persons and contact information for work engagements. Pre-Qualified Contractors **Proposals **not meeting this requirement to the satisfaction of ODOT may be disqualified. The proposal must contain a brief summary of each of those work engagements, how they are similar in size, scope, and purpose, to the project described in this SOW solicitation document, and the level of success attained.

Must have understanding of how to design a mapping application that will link to an existing software application.

Experience in leveraging existing data and attributes that already are loaded onto a PC. Three years’ experience developing GIS applications. Basic understanding of Ohio Crash Reporting.

Project Team Qualifications

Provide an outline of the project team and a brief description on the approach for the project. At a minimum the proposal must contain:

1) Proposed project manager and team members resume or curriculum vitae demonstrating that the team has the necessary professional experience and background.

2) Three references where the proposed project manager has managed a similar project onsite or remotely.

3) Team member(s) have SQL Server Express, ESRI/GIS experience.

4) Team members must have experience analyzing business processes that integrate data from multiple


sources.

5) Minimum Project Manager Qualifications:

A. Bachelor’s Degree in Information Technology or related field or equivalent work experience.

B. Five (5) years’ experience as a project manager developing project plans, defining schedules, developing project approach, budgeting, monitoring and project change management processes.

5.3 Subcontractor Documentation:

a. For each proposed Subcontractor, the Contractor must attach a letter from the subcontractor, signed by someone authorized to legally bind the subcontractor, with the following included in the letter:

i. The Subcontractor’s legal status, federal tax identification number, D-U-N-S number if applicable, and principal place of business address;

ii. The name, phone number, fax number, email address, and mailing address of a person who is authorized to legally bind the Subcontractor to contractual obligations;

iii. A description of the work the Subcontractor will do and one representative sample of previously completed projects as it relates to this SOW (e.g. detailed requirements document, analysis, statement of work);

iv. Must describe the Subcontractor’s experience, capability, and capacity to provide Information Technology Assessment, Planning, and Solicitation Assistance. Provide specific detailed information demonstrating experience similar in nature to the type of work described in this SOW from each of the resources identified;

v. A commitment to do the work if the Contractor is selected; and

vi. A statement that the Subcontractor has read and understood the SOW and will comply with the requirements of the Solicitation.

5.4 Assumptions: The Pre-Qualified Contractor must list all assumptions the Pre-Qualified Contractor made in preparing the Proposal. If any assumption is unacceptable to the State, the State may at its sole discretion request that the Pre-Qualified Contractor remove the assumption or choose to reject the Proposal. No assumptions may be included regarding the outcomes of negotiation, terms and conditions, or requirements. Assumptions should be provided as part of the Pre-Qualified Contractor response as a stand-alone response section that is inclusive of all assumptions with reference(s) to the section(s) of the Solicitation that the assumption is applicable to. The Pre-Qualified Contractor should not include assumptions elsewhere in their response.

5.5 Payment Address: The Pre-Qualified Contractor must give the address to which the State should send payments under the Contract.

5.6 Staffing plan, personnel resumes, time commitment, organizational chart

Identify Contractor and sub-contractor staff and time commitment. Identify hourly rates for personnel, as applicable. Include Contractor and sub-contractor resumes for each resource identified and organizational chart for entire team.

Contractor Name Role Contractor or Sub-contractor? No. Hours Hourly Rate


5.7 Project Plan

Identify and describe the plan to produce effective documents and complete the deliverable requirements. Describe the primary tasks, how long each task will take, and when each task will be completed in order to meet the final deadline.

5.8 Project Schedule (WBS using MS Project or compatible)

Describe the Project Schedule including planning, planned vs. actuals for monitoring performance, including milestones, and time for writing, editing and revising. Using MS Project or compatible, create a deliverable-oriented grouping of project elements that organizes and defines the total work scope of the project with each descending level representing an increasingly detailed definition of the project work.

5.9 Communication Plan

Strong listening skills, the ability to ask appropriate questions, and follow-up questions will be required to capture the information necessary to complete the deliverable requirements. Describe the methods to be used to gather and store various types of information and to disseminate the information, updates, and corrections to previously distributed material. Identify to whom the information will flow and what methods will be used for the distribution. Include format, content, level of detail, and conventions to be used. Provide methods for accessing information between scheduled communications.

5.10 Fee Structure including Estimated Work Effort for each Deliverable

Payment will be scheduled upon approval and acceptance of each applicable Deliverable by the ODOT Project Sponsor and ODOT Project Manager within the usual payment terms of the State.

Deliverable Name Total Estimated Work Effort (Hours)

Not-to-Exceed Fixed Price for Deliverable

DISCOVERY PHASE:

Detailed Project Plan & Schedule

Throughout Project:

Weekly Status Reports

DISCOVERY PHASE:

Detailed Requirements document

DISCOVERY PHASE:

Detailed Wire Frames

DISCOVERY PHASE:




Software Architecture Diagram (SAD)

DEVELOPMENT PHASE:

Delivery of Development elements via bi-weekly sprints

DEVELOPMENT PHASE:

Completion of system testing / signoff

TESTING PHASE:

Completion of UAT testing / signoff

TRAINING PHASE:

Train-the-Trainer to ODOT / ODPS teams

DEPLOYMENT PHASE:

Beta Deployment plan

DEPLOYMENT PHASE:

Beta Deployment

POST DEPLOYMENT SUPPORT / MAINTENANCE PHASE:

Product support plan (Beta Production Release)

Total Cost for all Deliverables

5.11 Rate Card

The primary purpose of obtaining a Rate Card is to establish baseline hourly rates in the event that change orders are necessary. The DBITS contract is not intended to be used for hourly based time and materials work.

Pre-Qualified Contractors must submit a Rate Card that includes hourly rates for all services the Contractor offers, including but not limited to those listed in this Solicitation. Enter the Rate Card information in this section.

Section 6: SOW Evaluation Criteria

Mandatory Requirements: Accept/Reject

Pre-qualified Contractor (and proposed Subcontractor) cover letter(s) included in Section 5.

Pre-qualified Contractor submitted properly formatted proposal by submission deadline.

Pre-Qualified Contractor or Subcontractor must demonstrate the Mandatory Requirement included in Section 5.1.2.c.




Scored Requirements WeightDoes Not

MeetMeet Exceeds

Contractor or Subcontractor Summary show(s) company experience in application development using ESRI/GIS with a multitude of data inputs 7 0 5 7

Contractor or Subcontractor Summary identifies resource(s) with experience in application development using ESRI/GIS and a multitude of data inputs

7 0 5 7

Contractor or Subcontractor Summary must describe the approach for developing the application/interface. 5 0 5 7

Pre-Qualified Contractor(s) staffing plan 3 0 5 7

Pre-Qualified Contractor(s) project plan 3 0 5 7

Demonstrated ability and availability to complete the project in the available timeline based on the proposed project plan 5 0 5 7

Price Performance Formula. The evaluation team will rate the Proposals that meet the Mandatory Requirements based on the following criteria and respective weights.

Criteria PercentageTechnical Proposal 70%

Cost Summary 30%To ensure the scoring ratio is maintained, the State will use the following formulas to adjust the points awarded to each offeror.

The offeror with the highest point total for the Technical Proposal will receive 700 points. The remaining offerors will receive a percentage of the maximum points available based upon the following formula:

Technical Proposal Points = (Offeror’s Technical Proposal Points/Highest Number of Technical Proposal Points Obtained) x 700

The offeror with the lowest proposed total cost for evaluation purposes will receive 300 points. The remaining offerors will receive a percentage of the maximum cost points available based upon the following formula:

Cost Summary Points = (Lowest Total Cost for Evaluation Purposes/Offeror’s Total Cost for Evaluation Purposes) x 300

Total Points Score: The total points score is calculated using the following formula:

Total Points = Technical Proposal Points + Cost Summary Points




Section 7: SOW Solicitation Calendar of Events

Firm Dates

SOW Solicitation Released to Pre-qualified Contractors March 15, 2017

Inquiry Period Begins March 15, 2017

Inquiry Period Ends April 3, 2017

Proposal Response Due Date April 14, 2017 at 1:00 p.m. (Columbus, Ohio local time)

Anticipated Dates

Estimated Date for Selection of Awarded Contractor Early May 2017

Estimated Commencement Date of Work Late May 2017

All times listed are Eastern Standard Time (EST).

SECTION 8: Inquiry Process

Pre-Qualified Contractors may make inquiries regarding this SOW Solicitation anytime during the inquiry period listed in the Calendar of Events. To make an inquiry, Pre-Qualified Contractors must use the following process:

Access the State’s Procurement Website at http://procure.ohio.gov/; From the Quick Links menu on the right, select “Bid Opportunities Search”; In the “Document/Bid Number“ field, enter the DBITS Solicitation ID number found on the first page of this SOW

Solicitation; Click the “Search” button; On the Opportunity Search Results page, click on the hyperlinked Bid Number; On the Opportunity Details page, click the “Submit Inquiry” button; On the document inquiry page, complete the required “Personal Information” section by providing:

o First and last name of the prospective offeror’s representative (the Offeror Representative) who is responsible for the inquiry,

o Name of the prospective offeror, o The Offeror Representative’s business phone number, and o The Offeror Representative’s email address;

Type the inquiry in the space provided including: o A reference to the relevant part of this Solicitation, o The heading for the provision under question, and o The page number of the Solicitation where the provision can be found;




Enter the Confirmation Number at the bottom of the page Click the “Submit” button.

A Pre-Qualified Contractor submitting an inquiry will receive an acknowledgement that the State has received the inquiry as well as an email acknowledging receipt. The Pre-Qualified Contractor will not receive a personalized response to the question nor notification when the State has answered the question.

Pre-Qualified Contractors may view inquiries and responses on the State’s Procurement Website by using the “Find It Fast” feature described above and by clicking the “View Q & A” button on the document information page.

The State usually responds to all inquiries within three business days of receipt, excluding weekends and State holidays. But the State will not respond to any inquiries received after 8:00 a.m. on the inquiry end date.

The State does not consider questions asked during the inquiry period through the inquiry process as exceptions to the terms and conditions of this Solicitation.

Section 9: Submission Instructions & Location

Each Pre-Qualified Contractor must submit Three (3) complete, sealed and signed copies of its Proposal Response and each submission must be clearly marked “Officer Crash Mapping Application” on the outside of its package along with Pre-Qualified Contractor’s name.

A single electronic copy of the complete Proposal Response must also be submitted with the printed Proposal Responses. Electronic submissions should be on a CD or DVD.

Each proposal must be organized in the same format as described in Section 5. Any material deviation from the format outlined in Section 5 may result in a rejection of the non-conforming proposal. Each proposal must contain an identifiable tab sheet preceding each section of the proposal. Proposal Response should be good for a minimum of 60 days.

The State will not be liable for any costs incurred by any Pre-Qualified Contractor in responding to this SOW Solicitation, even if the State does not award a contract through this process. The State may decide not to award a contract at the State’s discretion. The State may reject late submissions regardless of the cause for the delay. The State may also reject any submissions that it believes is not in its interest to accept and may decide not to do business with any of the Pre-Qualified Contractors responding to this SOW Solicitation.

As noted in Section 7 SOW Solicitation Calendar of Events, proposals are due on April 14, 2017; no later than 1:00 PM. No responses will be accepted after this date and time.

Proposal Responses MUST be submitted to the State Agency’s Procurement Representative:

Shawn ShelstadOhio Department of TransportationMailstop 24001980 West Broad StreetColumbus, Ohio 43223

Proprietary informationAll Proposal Responses and other material submitted will become the property of the State and may be returned only at the State's option. Proprietary information should not be included in a Proposal Response or supporting materials because the State will have the right to use any materials or ideas submitted in any quotation without compensation to the Pre-Qualified Contractor. Additionally, all Proposal Response submissions will be open to the public after the contract




has been awarded.

The State may reject any Proposal if the Pre-Qualified Contractor takes exception to the terms and conditions of the Contract.

Waiver of DefectsThe State has the right to waive any defects in any quotation or in the submission process followed by a Pre-Qualified Contractor. But the State will only do so if it believes that is in the State's interest and will not cause any material unfairness to other Pre-Qualified Contractors.

Rejection of SubmissionsThe State may reject any submissions that is not in the required format, does not address all the requirements of this SOW Solicitation, or that the State believes is excessive in price or otherwise not in its interest to consider or to accept. The State will reject any responses from companies not pre-qualified in the Technology Category associated with this SOW Solicitation. In addition, the State may cancel this SOW Solicitation, reject all the submissions, and seek to do the work through a new SOW Solicitation or other means.

Section 10: Limitation of Liability

Identification of Limitation of Liability applicable to the specific SOW Solicitation. Unless otherwise stated in this section of the SOW Solicitation, the Limitation of Liability will be as described in Attachment Four, Part Four of the Contract General Terms and Conditions.


Supplement One

Supplement One: Security and Privacy

Security and Privacy RequirementsState IT Computing Policy RequirementsState Data Handling Requirements


Overview and Scope

This Supplement shall apply to any and all Work, Services, Locations and Computing Elements that the Contractor will perform, provide, occupy or utilize in conjunction with the delivery of work to the State and any access of State resources in conjunction with delivery of work.

This scope shall specifically apply to:

Major and Minor Projects, Upgrades, Updates, Fixes, Patches and other Software and Systems inclusive of all State elements or elements under the Contractor’s responsibility utilized by the State;

Any systems development, integration, operations and maintenance activities performed by the Contractor;

Any authorized Change Orders, Change Requests, Statements of Work, extensions or Amendments to this agreement;

Contractor locations, equipment and personnel that access State systems, networks or data directly or indirectly; and

Any Contractor personnel or sub-Contracted personnel that have access to State confidential, personal, financial, infrastructure details or sensitive data.

The terms in this Supplement are additive to the Standard State Terms and Conditions contained elsewhere in this agreement. In the event of a conflict for whatever reason, the highest standard contained in this agreement shall prevail.

1. General State Security and Information Privacy Standards and Requirements

The Contractor will be responsible for maintaining information security in environments under the Contractor’s management and in accordance with State IT Security Policies. The Contractor will implement an information security policy and security capability as set forth in this agreement.

The Contractor’s responsibilities with respect to Security Services will include the following:

Provide vulnerability management Services for the Contractor’s internal secure network connection, including supporting remediation for identified vulnerabilities as agreed.

Support the implementation and compliance monitoring for State IT Security Policies. Develop, maintain, update, and implement security procedures, with State review and approval,

including physical access strategies and standards, ID approval procedures and a breach of security action plan.

Develop, implement, and maintain a set of automated and manual processes to ensure that data access rules are not compromised.

Perform physical security functions (e.g., identification badge controls, alarm responses) at the facilities under the Contractor’s control.

Support intrusion detection and prevention and vulnerability scanning pursuant to State IT Security Policies;

1.1. State Provided Elements: Contractor Responsibility Considerations

The State is responsible for Network Layer (meaning the internet Protocol suite and the open systems interconnection model of computer networking protocols and methods to process communications across the IP network) system services and functions that build


upon State infrastructure environment elements, the Contractor shall not be responsible for the implementation of Security Services of these systems as these shall be retained by the State.

To the extent that Contractor’s access or utilize State provided networks, the Contractor is responsible for adhering to State policies and use procedures and do so in a manner as to not diminish established State capabilities and standards.

The Contractor will be responsible for maintaining the security of information in environment elements that it accesses, utilizes, develops or manages in accordance with the State Security Policy. The Contractor will implement information security policies and capabilities, upon review and agreement by the State, based on the Contractors standard service center security processes that satisfy the State’s requirements contained herein.

The Contractor’s responsibilities with respect to security services must also include the following:

Provide vulnerability management services including supporting remediation for identified vulnerabilities as agreed.

1.2. State Information Technology Policies

The Contractor is responsible for maintaining the security of information in environment elements under direct management and in accordance with State Security policies and standards. The Contractor will implement information security policies and capabilities as set forth in Statements of Work and, upon review and agreement by the State, based on the offeror’s standard service center security processes that satisfy the State’s requirements contained herein. The offeror’s responsibilities with respect to security services include the following:

The State shall be responsible for conducting periodic security and privacy audits and generally utilizes members of the OIT Chief Information Security Officer and Privacy teams, the OBM Office of Internal Audit and the Auditor of State, depending on the focus area of an audit. Should an audit issue be discovered the following resolution path shall apply: If over the course of delivering services to the State under this Statement of Work for in-

scope environments the Contractor becomes aware of an issue, or a potential issue that was not detected by security and privacy teams the Contractor is to notify the State within two (2) hours. This notification shall not minimize the more stringent Service Level Agreements pertaining to security scans and breaches contained herein, which due to the nature of an active breach shall take precedence over this notification. Dependent on the nature of the issue the State may elect to contract with the Contractor under mutually agreeable terms for those specific resolution services at that time or elect to address the issue independent of the Contractor.

2. State and Federal Data Privacy Requirements

Because the privacy of individuals’ personally identifiable information (PII) and State Sensitive Information, generally information that is not subject to disclosures under Ohio Public Records law, (SSI) is a key element to maintaining the public’s trust in working with the State, all systems and services shall be designed and shall function according to the following fair information practices principles. To the extent that personally identifiable information in the system is “protected health information” under the HIPAA Privacy Rule, these principles shall be implemented in alignment with the HIPAA Privacy Rule. To the extent that there is PII in the system that is not “protected health information” under HIPAA, these principles shall still be implemented and, when applicable, aligned to other law or regulation.


All parties to this agreement specifically agree to comply with state and federal confidentiality and information disclosure laws, rules and regulations applicable to work associated with this Solicitation including but not limited to:

United States Code 42 USC 1320d through 1320d-8 (HIPAA); Code of Federal Regulations, 42 CFR 431.300, 431.302, 431.305, 431.306, 435.945,45

CFR164.502 (e) and 164.504 (e); Ohio Revised Code, ORC 173.20, 173.22, 1347.01 through 1347.99, 2305.24, 2305.251,

3701.243, 3701.028, 4123.27, 5101.26, 5101.27, 5101.572, 5112.21, and 5111.61; Corresponding Ohio Administrative Code Rules and Updates; and Systems and Services must support and comply with the State’s security operational support

model which is aligned to NIST 800-53 Revision 4.

2.1. Protection of State Data

Protection of State Data. To protect State Data as described in this agreement, in addition to its other duties regarding State Data, Contractor will:

Maintain in confidence any personally identifiable information (“PII”) and State Sensitive Information (“SSI”) it may obtain, maintain, process, or otherwise receive from or through the State in the course of the Agreement;

Use and permit its employees, officers, agents, and independent contractors to use any PII/SSI received from the State solely for those purposes expressly contemplated by the Agreement;

Not sell, rent, lease or disclose, or permit its employees, officers, agents, and independent contractors to sell, rent, lease, or disclose, any such PII/SSI to any third party, except as permitted under this Agreement or required by applicable law, regulation, or court order;

Take all commercially reasonable steps to (a) protect the confidentiality of PII/SSI received from the State and (b) establish and maintain physical, technical and administrative safeguards to prevent unauthorized access by third parties to PII/SSI received by Contractor from the State;

Give access to PII/SSI of the State only to those individual employees, officers, agents, and independent contractors who reasonably require access to such information in connection with the performance of Contractor’s obligations under this Agreement;

Upon request by the State, promptly destroy or return to the State in a format designated by the State all PII/SSI received from the State;

Cooperate with any attempt by the State to monitor Contractor’s compliance with the foregoing obligations as reasonably requested by the State from time to time. The State shall be responsible for all costs incurred by Contractor for compliance with this provision of this subsection; and

Establish and maintain data security policies and procedures designed to ensure the following:

a) Security and confidentiality of PII/SSI;b) Protection against anticipated threats or hazards to the security or integrity of PII/SSI; andc) Protection against the unauthorized access or use of PII/SSI.

2.1.1. Disclosure

Disclosure to Third Parties. This Agreement shall not be deemed to prohibit disclosures in the following cases:

Required by applicable law, regulation, court order or subpoena; provided that, if the Contractor or any of its representatives are ordered or requested to disclose any information provided by the State, whether PII/SSI or otherwise, pursuant to court or administrative order, subpoena,


summons, or other legal process, Contractor will promptly notify the State (unless prohibited from doing so by law, rule, regulation or court order) in order that the State may have the opportunity to seek a protective order or take other appropriate action. Contractor will also cooperate in the State’s efforts to obtain a protective order or other reasonable assurance that confidential treatment will be accorded the information provided by the State. If, in the absence of a protective order, Contractor is compelled as a matter of law to disclose the information provided by the State, Contractor may disclose to the party compelling disclosure only the part of such information as is required by law to be disclosed (in which case, prior to such disclosure, Contractor will advise and consult with the State and its counsel as to such disclosure and the nature of wording of such disclosure) and Contractor will use commercially reasonable efforts to obtain confidential treatment therefore;

To State auditors or regulators; To service providers and agents of either party as permitted by law, provided that such service

providers and agents are subject to binding confidentiality obligations.

2.2. Handling the State’s Data

The Contractor must use due diligence to ensure computer and telecommunications systems and services involved in storing, using, or transmitting State Data are secure and to protect that data from unauthorized disclosure, modification, or destruction. “State Data” includes all data and information created by, created for, or related to the activities of the State and any information from, to, or related to all persons that conduct business or personal activities with the State. To accomplish this, the Contractor must adhere to the following principles:

Apply appropriate risk management techniques to balance the need for security measures against the sensitivity of the State Data.

Ensure that its internal security policies, plans, and procedures address the basic security elements of confidentiality, integrity, and availability.

Maintain plans and policies that include methods to protect against security and integrity threats and vulnerabilities, as well as detect and respond to those threats and vulnerabilities.

Maintain appropriate identification and authentication processes for information systems and services associated with State Data.

Maintain appropriate access control and authorization policies, plans, and procedures to protect system assets and other information resources associated with State Data.

Implement and manage security audit logging on information systems, including computers and network devices.

2.3. Contractor Access to State Networks Systems and Data

The Contractor must maintain a robust boundary security capacity that incorporates generally recognized system hardening techniques. This includes determining which ports and services are required to support access to systems that hold State Data, limiting access to only these points, and disable all others.

To do this, the Contractor must:

Use assets and techniques such as properly configured firewalls, a demilitarized zone for handling public traffic, host-to-host management, Internet protocol specification for source and destination, strong authentication, encryption, packet filtering, activity logging, and implementation of system security fixes and patches as they become available.

Use two-factor authentication to limit access to systems that contain particularly sensitive State Data, such as personally identifiable data.


Assume all State Data and information is both confidential and critical for State operations, and the Contractor’s security policies, plans, and procedure for the handling, storage, backup, access, and, if appropriate, destruction of that data must be commensurate to this level of sensitivity unless the State instructs the Contractor otherwise in writing.

Employ appropriate intrusion and attack prevention and detection capabilities. Those capabilities must track unauthorized access and attempts to access the State’s Data, as well as attacks on the Contractor’s infrastructure associated with the State’s data. Further, the Contractor must monitor and appropriately address information from its system Applications used to prevent and detect unauthorized access to and attacks on the infrastructure associated with the State’s Data.

Use appropriate measures to ensure that State Data is secure before transferring control of any systems or media on which State Data is stored. The method of securing the State Data must be appropriate to the situation and may include erasure, destruction, or encryption of the State Data before transfer of control. The transfer of any such system or media must be reasonably necessary for the performance of the Contractor’s obligations under this Contract.

Have a business continuity plan in place that the Contractor tests and updates at least annually. The plan must address procedures for response to emergencies and other business interruptions. Part of the plan must address backing up and storing data at a location sufficiently remote from the facilities at which the Contractor maintains the State’s Data in case of loss of that data at the primary site. The plan also must address the rapid restoration, relocation, or replacement of resources associated with the State’s Data in the case of a disaster or other business interruption. The Contractor’s business continuity plan must address short- and long-term restoration, relocation, or replacement of resources that will ensure the smooth continuation of operations related to the State’s Data. Such resources may include, among others, communications, supplies, transportation, space, power and environmental controls, documentation, people, data, software, and hardware. The Contractor also must provide for reviewing, testing, and adjusting the plan on an annual basis.

Not allow the State’s Data to be loaded onto portable computing devices or portable storage components or media unless necessary to perform its obligations under this Contract properly. Even then, the Contractor may permit such only if adequate security measures are in place to ensure the integrity and security of the State Data. Those measures must include a policy on physical security for such devices to minimize the risks of theft and unauthorized access that includes a prohibition against viewing sensitive or confidential data in public or common areas.

Ensure that portable computing devices must have anti-virus software, personal firewalls, and system password protection. In addition, the State’s Data must be encrypted when stored on any portable computing or storage device or media or when transmitted from them across any data network.

Maintain an accurate inventory of all such devices and the individuals to whom they are assigned.

2.4. Portable Devices, Data Transfer and Media

Any encryption requirement identified in this Supplement means encryption that complies with National Institute of Standards Federal Information Processing Standard 140-2 as demonstrated by a valid FIPS certificate number. Any sensitive State Data transmitted over a network, or taken off site via removable media must be encrypted pursuant to the State’s Data encryption standard ITS-SEC-01 Data Encryption and Cryptography.

The Contractor must have reporting requirements for lost or stolen portable computing devices authorized for use with State Data and must report any loss or theft of such to the State in writing as quickly as reasonably possible. The Contractor also must maintain an incident response capability for all security breaches involving State Data whether involving mobile devices or media or not. The Contractor must detail this capability in a written policy that defines procedures for how the Contractor will detect, evaluate, and respond to adverse events that may indicate a breach or attempt to attack or access State Data or the infrastructure associated with State Data.


To the extent the State requires the Contractor to adhere to specific processes or procedures in addition to those set forth above in order for the Contractor to comply with the managed services principles enumerated herein, those processes or procedures are set forth in this agreement.

2.5. Limited Use; Survival of Obligations.

Contractor may use PII/SSI only as necessary for Contractor’s performance under or pursuant to rights granted in this Agreement and for no other purpose. Contractor’s limited right to use PII/SSI expires upon conclusion, non-renewal or termination of this Agreement for any reason. Contractor’s obligations of confidentiality and non-disclosure survive termination or expiration for any reason of this Agreement.

2.6. Disposal of PII/SSI.

Upon expiration of Contractor’s limited right to use PII/SSI, Contractor must return all physical embodiments to the State or, with the State’s permission; Contractor may destroy PII/SSI. Upon the State’s request, Contractor shall provide written certification to the State that Contractor has returned, or destroyed, all such PII/SSI in Contractor’s possession.

2.7. Remedies

If Contractor or any of its representatives or agents breaches the covenants set forth in these provisions, irreparable injury may result to the State or third parties entrusting PII/SSI to the State. Therefore, the State’s remedies at law may be inadequate and the State shall be entitled to seek an injunction to restrain any continuing breach. Notwithstanding any limitation on Contractor’s liability, the State shall further be entitled to any other rights or remedies that it may have in law or in equity.

2.8. Prohibition on Off-Shore and Unapproved Access

The Contractor shall comply in all respects with U.S. statutes, regulations, and administrative requirements regarding its relationships with non-U.S. governmental and quasi-governmental entities including, but not limited to the export control regulations of the International Traffic in Arms Regulations (“ITAR”) and the Export Administration Act (“EAA”); the anti-boycott and embargo regulations and guidelines issued under the EAA, and the regulations of the U.S. Department of the Treasury, Office of Foreign Assets Control, HIPPA Privacy Rules and other conventions as described and required in this Supplement.

The Contractor will provide resources for the work described herein with natural persons who are lawful permanent residents as defined in 8 U.S.C. 1101 (a)(20) or who are protected individuals as defined by 8 U.S.C. 1324b(a)(3). It also means any corporation, business association, partnership, society, trust, or any other entity, organization or group that is incorporated to do business in the U.S. It also includes any governmental (federal, state, local), entity.

The State specifically prohibits sending, taking or making available remotely (directly or indirectly), any State information including State data, software, code, intellectual property, designs and specifications, system logs, system data, personal or identifying information and related materials out of the United States in any manner, except by mere travel outside of the U.S. by a person whose personal knowledge includes technical data; or transferring registration, control, or ownership to a foreign person, whether in the U.S. or abroad, or disclosing (including oral or visual disclosure) or transferring in the United States any State article to an embassy, any agency or subdivision of a foreign government


(e.g., diplomatic missions); or disclosing (including oral or visual disclosure) or transferring data to a foreign person, whether in the U.S. or abroad.

It is the responsibility of all individuals working at the State to understand and comply with the policy set forth in this document as it pertains to end-use export controls regarding State restricted information.

Where the Contractor is handling confidential employee or citizen data associated with Human Resources data, the Contractor will comply with data handling privacy requirements associated with HIPAA and as further defined by The United States Department of Health and Human Services Privacy Requirements and outlined in http://www.hhs.gov/ocr/privacysummary.pdf.

It is the responsibility of all Contractor individuals working at the State to understand and comply with the policy set forth in this document as it pertains to end-use export controls regarding State restricted information.

Where the Contractor is handling confidential or sensitive State, employee, citizen or Ohio Business data associated with State data, the Contractor will comply with data handling privacy requirements associated with the data HIPAA and as further defined by The United States Department of Health and Human Services Privacy Requirements and outlined in http://www.hhs.gov/ocr/privacysummary.pdf.

3. Contractor Responsibilities Related to Reporting of Concerns, Issues and Security/Privacy Issues

3.1. General

If over the course of the agreement a security or privacy issue arises, whether detected by the State, a State auditor or the Contractor, that was not existing within an in-scope environment or service prior to the commencement of any Contracted service associated with this agreement, the Contractor must:

Notify the State of the issue or acknowledge receipt of the issue within two (2) hours; Within forty-eight (48) hours from the initial detection or communication of the issue from the

State, present an potential exposure or issue assessment document to the State Account Representative and the State Chief Information Security Officer with a high level assessment as to resolution actions and a plan;

Within four (4) calendar days, and upon direction from the State, implement to the extent commercially reasonable measures to minimize the State’s exposure to security or privacy until such time as the issue is resolved; and

Upon approval from the State implement a permanent repair to the identified issue at the Contractor’s cost.

3.2. Actual or Attempted Access or Disclosure

If the Contractor determines that there is any actual, attempted or suspected theft of, accidental disclosure of, loss of, or inability to account for any PII/SSI by Contractor or any of its subcontractors (collectively “Disclosure”) and/or any unauthorized intrusions into Contractor’s or any of its subcontractor’s facilities or secure systems (collectively “Intrusion”), Contractor must immediately:

Notify the State within two (2) hours of the Contractor becoming aware of the unauthorized Disclosure or Intrusion;


http://www.hhs.gov/ocr/privacysummary.pdf

http://www.hhs.gov/ocr/privacysummary.pdf

Investigate and determine if an Intrusion and/or Disclosure has occurred; Fully cooperate with the State in estimating the effect of the Disclosure or Intrusion’s effect on the

State and fully cooperate to mitigate the consequences of the Disclosure or Intrusion; Specify corrective action to be taken; and Take corrective action to prevent further Disclosure and/or Intrusion.

3.3. Unapproved Disclosures and Intrusions: Contractor Responsibilities

Contractor must, as soon as is reasonably practicable, make a report to the State including details of the Disclosure and/or Intrusion and the corrective action Contractor has taken to prevent further Disclosure and/or Intrusion. Contractor must, in the case of a Disclosure cooperate fully with the State to notify the effected persons as to the fact of and the circumstances of the Disclosure of the PII/SSI. Additionally, Contractor must cooperate fully with all government regulatory agencies and/or law enforcement agencies having jurisdiction to investigate a Disclosure and/or any known or suspected criminal activity.

Where the Contractor identifies a potential issue in maintaining an “as provided” State infrastructure element with the more stringent of an Agency level security policy (which may be federally mandated or otherwise required by law), identifying to Agencies the nature of the issue, and if possible, potential remedies for consideration by the State agency.

If over the course of delivering services to the State under this Statement of Work for in-scope environments the Contractor becomes aware of an issue, or a potential issue that was not detected by security and privacy teams the Contractor is to notify the State within two (2) hour. This notification shall not minimize the more stringent Service Level Agreements pertaining to security scans and breaches contained herein, which due to the nature of an active breach shall take precedence over this notification. Dependent on the nature of the issue the State may elect to contract with the Contractor under mutually agreeable terms for those specific resolution services at that time or elect to address the issue independent of the Contractor.

3.4. Security Breach Reporting and Indemnification Requirements

In case of an actual security breach that may have compromised State Data, the Contractor must notify the State in writing of the breach within two (2) hours of the Contractor becoming aware of the breach and fully cooperate with the State to mitigate the consequences of such a breach. This includes any use or disclosure of the State data that is inconsistent with the terms of this Contract and of which the Contractor becomes aware, including but not limited to, any discovery of a use or disclosure that is not consistent with this Contract by an employee, agent, or subcontractor of the Contractor.

The Contractor must give the State full access to the details of the breach and assist the State in making any notifications to potentially affected people and organizations that the State deems are necessary or appropriate. The Contractor must document all such incidents, including its response to them, and make that documentation available to the State on request.

In addition to any other liability under this Contract related to the Contractor’s improper disclosure of State data, and regardless of any limitation on liability of any kind in this Contract, the Contractor will be responsible for acquiring one year’s identity theft protection service on behalf of any individual or entity whose personally identifiable information is compromised while it is in the Contractor’s possession. Such identity theft protection must provide coverage from all three major credit reporting agencies and provide immediate notice through phone or email of attempts to access the individuals' credit history through those services.

4. Security Review Services


As part of a regular Security Review process, the Contractor will include the following reporting and services to the State:

4.1. Application Software Security

The Contractor will:

Perform configuration review of operating system, application and database settings; and Ensure software development personnel receive training in writing secure code.


Supplement Two

Supplement Two: OH-1 Crash form


view dbdot-17-03-001_word version_as_amended - ohio web viewcentric consulting llc. ... include...

Documents